WordPress Plugin Vulnerabilities

Astra Bulk Edit < 1.2.8 - Missing Authorization

Description

The Astra Bulk Edit plugin for WordPress is vulnerable to unauthorized missing authorization due to a missing capability check on the save_post_bulk_edit function in versions up to, and including, 1.2.7. This makes it possible for attackers with contributor-level access or higher to bulk edit posts.

Affects Plugins

Plugin icon
astra-bulk-edit
Fixed in 1.2.8

References

CVE
CVE-2023-44148
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2548d5b0-1f1a-4847-a5ea-e3bb6f7a5013

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
70b2aec1-fe5a-4952-a7b9-703a11d825f1

Timeline

Publicly Published
2023-09-22 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2023-12-21 (about 2 years ago)

Other

Published
Title
Published
2023-07-17
Title
MultiParcels Shipping For WooCommerce < 1.14.14 - Subscriber+ Arbitrary Shipment Deletion
Published
2025-12-31
Title
Graphist <= 1.2.10 - Missing Authorization
Published
2024-06-04
Title
Gutenberg Blocks and Page Layouts – Attire Blocks < 1.9.3 - Missing Authorization
Published
2025-08-26
Title
All Bootstrap Blocks < 1.3.29 - Missing Authorization
Published
2025-08-23
Title
miniOrange's Google Authenticator < 6.1.2 - Missing Authorization